By Alex Bender, Director, eGRC Programs and Strategy, EMC
Have you ever been in a situation of having to ask yourself: ‘Don’t we all work for the same company? Why can’t we work from the same playbook, speak the same language and head in a similar direction that gets us closer to the destination we’re all supposed to be aiming for?’
IT vs. Legal? Operations vs. IT? Finance vs. Legal?
Collaboration between divisions within an organization has never been more necessary. In fact, why do we call them divisions? It’s a divisive word; we should call them ‘unification departments’ and put people in charge of doing just that: unifying!
Why is unifying so important? Let’s take the example of information privacy. In a recent survey by the Ponemon Institute that polled over 190 eGRC professionals, it was found that the number-one owner of privacy issues in companies is the legal team, with IT coming in a close second. It was also found that collaboration is the number-one issue organizations have when setting out to achieve a goal or execute against a program such as privacy. Given the importance of such programs today, it’s never been more important for the teams that play a major role in achieving them to collaborate.
There are four key business domains that need to work together systematically to achieve eGRC objectives: IT, legal, operations and finance. Let’s stay with the issue of privacy to see why this is the case. I’ll cover legal and It in this blog; operations and finance tomorrow.
IT caught in the headlights
Think of any recent data breach to hit the headlines. The initial focus of news stories is on the number of people whose personal information has been leaked, the type of information leaked, and the technological or process failures that allowed the breach to happen (a security loophole exploited by hackers, third-party vendor negligence, a lost computer or other device holding data).
Internally, most of the initial action will probably occur in the IT and legal departments. Even if the breach isn’t a compromise of network defenses — maybe it’s due to an employee losing a backup tape or someone in operations inadvertently sending customer information to the wrong recipient — the incident may well highlight a failure of IT security policy and will have the department scrabbling to identify what happened and pull out all the stops to fix it and ensure that it doesn’t happen again.
Legal under the spotlight
Either in the same breath as reporting the breach, or immediately after, the news will be full of calls for more to be done to protect people’s rights to privacy. Opinion pieces will focus on how this breach will drive further regulatory activities relating to data protection and breach notification in the relevant country/ies or industry.
Internally, IT finds that it can’t just focus on the breach from a technological, process or policy point of view, but needs to be able to help the legal team figure out what’s happened from a compliance perspective and how the company must legally respond. As well as responding to regulators, legal teams will increasingly find that they need to defend their organization against official sanction as governments start issuing fines for data breaches. The legal ramifications of the incident may last for years as it becomes more and more common for lawsuits to be filed on behalf of individuals whose privacy has been compromised during a breach.
The Ponemon Survey
Part 2 of ‘Don’t we all work for the same company?’